Array variables acquired via the POST method do not appear in the $HTTP_POST_VARS array unless magic_quotes_gpc is DISABLED.
For example, if one uses a checkbox array named thus:
<input type="checkbox" name="fred[]" value="1">
<input type="checkbox" name="fred[]" value="2">
<input type="checkbox" name="fred[]" value="3">
an array variable called $fred will appear in the global namespace (assuming register_globals is ON). The same array variable should also appear as $HTTP_POST_VARS["fred"] (assuming track_vars is ON).
The BUG results in $HTTP_POST_VARS["fred'] appearing, but not as an array variable. That is, is_array($HTTP_POST_VARS["fred"]) returns FALSE. Further, the value of $HTTP_POST_VARS["fred"] is the string literal "Array" which curiously is the same string returned when an array variable is accessed in a scalar context.
If magic_quotes_qpc is DISABLED, this problem vanishes and the value of $HTTP_POST_VARS["fred"] is the anticipated array of values of selected checkboxes.
It looks to me like PHP4 is storing the result of a scalar access to the array variable $fred in $HTTP_POST_VARS["fred"] when magic_quotes_gpc is enabled. I think this qualifies as a bug.

Patches

Pull Requests

History

I'm unable to reproduce this with PHP 4.0.6RC1.
Please try it: http://www.php.net/~andi/php-4.0.6RC1.tar.gz
And also, replace your php.ini with the php.ini-dist that
comes with the package. Then change the appropriate directives.
--Jani

It appears this problem as I described earlier does exists in PHP 4.0.6.

[2001-10-15 03:08 UTC] bruce at causal dot com

Mea Culpa.
The problem was caused by a PHP script designed to strip slashes from $HTTP_POST_VARS when magic_quotes_gpc are enabled but unwanted (ie, in situations where one does not have the authority to turn magic_quotes_gpc off).
It simply applied stripslashes() to each element of $HTTP_POST_VARS but this is not enough as a POST variable may be an array.
This was indeed the case in my checkbox example.
I have since written this function to stripslashes correctly (it works "in place", caveat emptor):
function & stripallslashes ( &$variable ) {
// strip slashes recursively (works around magic_quotes_gpc)
if ( gettype($variable) == "array" ) {
reset($variable);
while ( list($key,$value) = each($variable) )
$variable[$key] = stripallslashes($value);
return $variable;
} elseif ( gettype($variable) == "string" )
return stripslashes( $variable );
else return $variable;
}
Applied to HTTP_POST_VARS thus:
stripslashes($HTTP_POST_VARS);
resolves the problems I was having.